The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Metric collection is used in many different contexts. “Metric,” in this context, refers to a data value representing a usage or performance characteristic of a computer, network, system or service. In some cases, metrics are used by system administrators to determine the health of a network. In other cases, metrics are used by advertisers to develop marketing strategies for specific demographics. However, conventional techniques related to metric collection, storage, and metric based alerts have significant limitations.
In the field of metric collection, prior metric collection techniques have utilized strings as the format for transporting metrics. However, performing search queries on strings typically requires expensive regular expression operations to be performed in order to obtain useful metric data. In the field of metric storage, businesses may grapple with the issue of how to efficiently store massive amounts of metric data using a finite set of resources. Typically, businesses perform data reduction to reduce the amount of data needed to be stored (and thus the cost of storage) by removing or merging older metrics. However, such techniques are inflexible and do not allow for the restoration of the older data in the event that the needs of users shifts over time. In the field of alert thresholds, network administrators develop systems that provide automatic notifications regarding potential problems in an operating environment based on metrics such as latency, dropped connections, refused requests, and so forth. However, conventional techniques, which utilize static absolute limits on the values of metrics, often generate false positives in certain situations. For example, a large number of requests received within a short time may signify that the network is experiencing a denial of service (DoS) attack. However, a hard threshold limit on the number of requests received causes false positives in the case where an event has occurred that generates a legitimate burst of activity. For example, if the business provides a streaming media service, the night a new blockbuster movie is put up on stream may cause a much higher stream of traffic than expected when the threshold was initially set, thus causing an alert generated for legitimate activity.